This document shows you how to integrate reCAPTCHA for WAF with Akamai.
To complete the integration, you must implement one or more features of reCAPTCHA for WAF, create reCAPTCHA firewall policies, and integrate with Akamai by creating and configuring Akamai EdgeWorkers service.
Before you begin
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Record your Google Cloud project ID for later use.Make sure that billing is enabled for your Google Cloud project.
Enable the reCAPTCHA Enterprise API.
Create an API key for authentication:
In the Google Cloud console, go to the Credentials page. - Click Create credentials, and then select API key.
- Record the API key for later use.
Plan how you want to implement the features of reCAPTCHA for WAF to protect your website.
- Choose one or more WAF features that best match your use case.
- Identify the pages that you want to protect.
- Choose the type of WAF features that you want to implement on the identified pages.
- Identify the conditions to manage user access.
- Understand the reCAPTCHA firewall policy components and their attributes that help you to create reCAPTCHA firewall policies. For examples, see Examples of reCAPTCHA firewall policies.
For Akamai configuration, ensure that you have the following:
An Akamai account and an Akamai property for your application.
Access to the Akamai EdgeWorkers from the Akamai Marketplace.
Ability to create EdgeWorkers.
Download the reCAPTCHA package for Akamai
recaptcha_akamai_client_0.0.2.tgz
.
Implement features of reCAPTCHA for WAF
Depending on your requirements, you can use one or more features of reCAPTCHA for WAF in a single application.
If you want to use more than one feature, then you must create a reCAPTCHA key for each of those features and use them in your application. For example, if you want to use reCAPTCHA action-tokens and reCAPTCHA challenge page, then you must create an action-token key and a challenge-page key, and use them in your application.
action-token
You must have reCAPTCHA running on your web pages to generate action-tokens.
After reCAPTCHA generates an action-token, you attach the action-token to a predefined
request header wherever you need to protect any user action, such as checkout
. By default, action-tokens are valid for 30 minutes, but can vary depending on the traffic.
You must attach the action-token to a predefined request header before the token expires, so that
the Akamai can evaluate the token attributes.
To implement a reCAPTCHA action-token, do the following:
Create an action-token key for your website.
gcloud
To create reCAPTCHA keys, use the gcloud recaptcha keys create command.
Before using any of the command data below, make the following replacements:
- DISPLAY_NAME: Name for the key. Typically a site name.
- INTEGRATION_TYPE: Type of integration.
Specify
score
orcheckbox
. - DOMAIN_NAME: Domains or subdomains of websites allowed to use
the key.
Specify multiple domains as a comma-separated list. Optional: Specify
--allow-all-domains
to disable domain verification.Disabling domain verification is a security risk because there are no restrictions on the site, so your reCAPTCHA key can be accessed and used by anyone.
- WAF_FEATURE: Name of the WAF feature.
Specify
action-token
. - WAF_SERVICE: Name of the
WAF service provider.
Specify
akamai
for Akamai.
Execute the gcloud recaptcha keys create command:
Linux, macOS, or Cloud Shell
gcloud recaptcha keys create \ --web \ --display-name=DISPLAY_NAME \ --integration-type=INTEGRATION_TYPE \ --domains=DOMAIN_NAME \ --waf-feature=WAF_FEATURE \ --waf-service=WAF_SERVICE
Windows (PowerShell)
gcloud recaptcha keys create ` --web ` --display-name=DISPLAY_NAME ` --integration-type=INTEGRATION_TYPE ` --domains=DOMAIN_NAME ` --waf-feature=WAF_FEATURE ` --waf-service=WAF_SERVICE
Windows (cmd.exe)
gcloud recaptcha keys create ^ --web ^ --display-name=DISPLAY_NAME ^ --integration-type=INTEGRATION_TYPE ^ --domains=DOMAIN_NAME ^ --waf-feature=WAF_FEATURE ^ --waf-service=WAF_SERVICE
The response contains the newly created reCAPTCHA key.
REST
For API reference information about key types and integration types, see Key and Integration type.Before using any of the request data, make the following replacements:
- DISPLAY_NAME: Name for the key. Typically a site name.
- INTEGRATION_TYPE: Type of integration.
Specify
score
orcheckbox
. - DOMAIN_NAME: Domains or subdomains of websites allowed to use
the key.
Specify multiple domains as a comma-separated list. Optional: Specify
--allow-all-domains
to disable domain verification.Disabling domain verification is a security risk because there are no restrictions on the site, so your reCAPTCHA key can be accessed and used by anyone.
- WAF_FEATURE: Name of the WAF feature.
Specify
action-token
. - WAF_SERVICE: Name of the
WAF service provider.
Specify
akamai
for Akamai.
HTTP method and URL:
POST https://recaptchaenterprise.googleapis.com/v1/projects/PROJECT_ID/keys
Request JSON body:
{ "displayName": "DISPLAY_NAME", 'wafSettings': " { "wafService": "WAF_SERVICE", "wafFeature": "WAF_FEATURE" } "webSettings": { "allowedDomains": "DOMAINS", "integrationType": "TYPE_OF_INTEGRATION" } }
To send your request, choose one of these options:
curl
Save the request body in a file named
request.json
, and execute the following command:curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://recaptchaenterprise.googleapis.com/v1/projects/PROJECT_ID/keys"PowerShell
Save the request body in a file named
request.json
, and execute the following command:$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://recaptchaenterprise.googleapis.com/v1/projects/PROJECT_ID/keys" | Select-Object -Expand ContentYou should receive a JSON response similar to the following:
{ "name": "projects/project-id/keys/7Ldqgs0UBBBBBIn4k7YxEB-LwEh5S9-Gv6QQIWB8m", "displayName": "DISPLAY_NAME, "webSettings": { "allowAllDomains": true, "allowedDomains": [ "localhost" ], "integrationType": "SCORE", }, "wafSettings": { "wafService": "akamai", "wafFeature": "ACTION_TOKEN" } }
Record your action-token key for later use.
-
Integrate reCAPTCHA JavaScript on your web pages with the action-token key that
you created. For instructions, refer to the document that corresponds with the
integration type of your action-token key.
- For the
SCORE
integration type, see Integrate score-based keys with the frontend. - For the
CHECKBOX
integration type, see Render the reCAPTCHA widget on the frontend.
- For the
-
After you receive the token from reCAPTCHA, attach the token to
a predefined request header in the following format:
X-Recaptcha-Token: value-of-your-action-token
You can use languages such as XHR, Ajax, or Fetch API to attach the token to a predefined request header.
The following sample script shows how to protect the
execute
action and attach the token to a predefined request header using JavaScript + XHR:<script> src="https://www.google.com/recaptcha/enterprise.js?render=ACTION_TOKEN_KEY"></script> <script> function onSuccess(action_token) { const xhr = new XMLHttpRequest(); xhr.open('GET','YOUR_URL', false); // Attach the action-token to the predefined request header xhr.setRequestHeader("X-Recaptcha-Token", action_token); xhr.send(null); } function onError(reason) { alert('Response promise rejected: ' + reason); grecaptcha.enterprise.ready(function () { document.getElementById("execute-button").onclick = () => { grecaptcha.enterprise.execute('ACTION_TOKEN_KEY', { }).then(onSuccess, onError); }; }); } </script>
session-token
The reCAPTCHA JavaScript sets a reCAPTCHA session-token as a cookie on the end user's browser after the assessment. The end user's browser attaches the cookie and refreshes the cookie as long as the reCAPTCHA JavaScript remains active.
To provide a session-token as a cookie, install a session-token key on at least one of your web pages that the end user browses before the page that needs to be protected. For example, if you want to protect the checkout page, install a session-token key on the home page or product page.
To learn about how to install session-token keys on your web pages, see Integrate score-based keys with the frontend.
You can use this cookie to protect the end user's subsequent requests and page loads on a specific domain. Session-tokens are valid for 30 minutes by default. However, if the end user stays on the page where you implemented the session-token, reCAPTCHA refreshes the session-token periodically to prevent it from expiring.
Install session-tokens on each page that needs to be protected by reCAPTCHA. We recommend that you protect every page with reCAPTCHA and use Google Cloud Armor rules to enforce access on all the pages, except the first page that end users browse.
The following is a sample reCAPTCHA session-token:recaptcha-ca-t=value-of-your-session-token;domain=domain;expires=expiration_time
To implement a reCAPTCHA session-token, do the following:
- Create a session-token key for your website.
gcloud
To create reCAPTCHA keys, use the gcloud recaptcha keys create command.
Before using any of the command data below, make the following replacements:
- DISPLAY_NAME: Name for the key. Typically a site name.
- INTEGRATION_TYPE: Type of integration.
Specify
score
. - DOMAIN_NAME: Domains or subdomains of websites allowed to use
the key.
Specify multiple domains as a comma-separated list. Optional: Specify
--allow-all-domains
to disable domain verification.Disabling domain verification is a security risk because there are no restrictions on the site, so your reCAPTCHA key can be accessed and used by anyone.
- WAF_FEATURE: Name of the WAF feature.
Specify
session-token
. - WAF_SERVICE: Name of the
WAF service provider.
Specify
akamai
for Akamai.
Execute the gcloud recaptcha keys create command:
Linux, macOS, or Cloud Shell
gcloud recaptcha keys create \ --web \ --display-name=DISPLAY_NAME \ --integration-type=INTEGRATION_TYPE \ --domains=DOMAIN_NAME \ --waf-feature=WAF_FEATURE \ --waf-service=WAF_SERVICE
Windows (PowerShell)
gcloud recaptcha keys create ` --web ` --display-name=DISPLAY_NAME ` --integration-type=INTEGRATION_TYPE ` --domains=DOMAIN_NAME ` --waf-feature=WAF_FEATURE ` --waf-service=WAF_SERVICE
Windows (cmd.exe)
gcloud recaptcha keys create ^ --web ^ --display-name=DISPLAY_NAME ^ --integration-type=INTEGRATION_TYPE ^ --domains=DOMAIN_NAME ^ --waf-feature=WAF_FEATURE ^ --waf-service=WAF_SERVICE
The response contains the newly created reCAPTCHA key.
REST
For API reference information about key types and integration types, see Key and Integration type.Before using any of the request data, make the following replacements:
- DISPLAY_NAME: Name for the key. Typically a site name.
- INTEGRATION_TYPE: Type of integration.
Specify
score
. - DOMAIN_NAME: Domains or subdomains of websites allowed to use
the key.
Specify multiple domains as a comma-separated list. Optional: Specify
--allow-all-domains
to disable domain verification.Disabling domain verification is a security risk because there are no restrictions on the site, so your reCAPTCHA key can be accessed and used by anyone.
- WAF_FEATURE: Name of the WAF feature.
Specify
session-token
. - WAF_SERVICE: Name of the
WAF service provider.
Specify
akamai
for Akamai.
HTTP method and URL:
POST https://recaptchaenterprise.googleapis.com/v1/projects/PROJECT_ID/keys
Request JSON body:
{ "displayName": "DISPLAY_NAME", 'wafSettings': " { "wafService": "WAF_SERVICE", "wafFeature": "WAF_FEATURE" } "webSettings": { "allowedDomains": "DOMAINS", "integrationType": "TYPE_OF_INTEGRATION" } }
To send your request, choose one of these options:
curl
Save the request body in a file named
request.json
, and execute the following command:curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://recaptchaenterprise.googleapis.com/v1/projects/PROJECT_ID/keys"PowerShell
Save the request body in a file named
request.json
, and execute the following command:$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://recaptchaenterprise.googleapis.com/v1/projects/PROJECT_ID/keys" | Select-Object -Expand ContentYou should receive a JSON response similar to the following:
{ "name": "projects/project-id/keys/7Ldqgs0UBBBBBIn4k7YxEB-LwEh5S9-Gv6QQIWB8m", "displayName": "DISPLAY_NAME, "webSettings": { "allowAllDomains": true, "allowedDomains": [ "localhost" ], "integrationType": "SCORE", }, "wafSettings": { "wafService": "akamai", "wafFeature": "SESSION_TOKEN" } }
Record your session-token key for later use.
If you want to inject the reCAPTCHA JavaScript from Akamai, skip the next step and configure the properties in Akamai Property Manager.
-
Add the session-token key and
waf=session
to the reCAPTCHA JavaScript.The following sample script shows how to implement a session-token on a web page:
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>reCAPTCHA WAF Session Token</title> <script src="https://www.google.com/recaptcha/enterprise.js?render=SESSION_TOKEN_KEY&waf=session" async defer></script> <body></body> </head> </html>
challenge-page
When you implement a reCAPTCHA challenge page, reCAPTCHA redirects to an interstitial page where it determines if it's necessary to show a CAPTCHA challenge to a user. Therefore, CAPTCHA challenges might not be visible to all users.
To implement a reCAPTCHA challenge page, do the following:
- Create a challenge-page key for your website.
gcloud
To create reCAPTCHA keys, use the gcloud recaptcha keys create command.
Before using any of the command data below, make the following replacements:
- DISPLAY_NAME: Name for the key. Typically a site name.
- INTEGRATION_TYPE: Type of integration.
Specify
invisible
. - DOMAIN_NAME: Domains or subdomains of websites allowed to use
the key.
Specify
--allow-all-domains
. - WAF_FEATURE: Name of the WAF feature.
Specify
challenge-page
. - WAF_SERVICE: Name of the
WAF service provider.
Specify
akamai
for Akamai.
Execute the gcloud recaptcha keys create command:
Linux, macOS, or Cloud Shell
gcloud recaptcha keys create \ --web \ --display-name=DISPLAY_NAME \ --integration-type=INTEGRATION_TYPE \ --domains=DOMAIN_NAME \ --waf-feature=WAF_FEATURE \ --waf-service=WAF_SERVICE
Windows (PowerShell)
gcloud recaptcha keys create ` --web ` --display-name=DISPLAY_NAME ` --integration-type=INTEGRATION_TYPE ` --domains=DOMAIN_NAME ` --waf-feature=WAF_FEATURE ` --waf-service=WAF_SERVICE
Windows (cmd.exe)
gcloud recaptcha keys create ^ --web ^ --display-name=DISPLAY_NAME ^ --integration-type=INTEGRATION_TYPE ^ --domains=DOMAIN_NAME ^ --waf-feature=WAF_FEATURE ^ --waf-service=WAF_SERVICE
The response contains the newly created reCAPTCHA key.
REST
For API reference information about key types and integration types, see Key and Integration type.Before using any of the request data, make the following replacements:
- DISPLAY_NAME: Name for the key. Typically a site name.
- INTEGRATION_TYPE: Type of integration.
Specify
invisible
. - DOMAIN_NAME: Domains or subdomains of websites allowed to use
the key.
Specify
--allow-all-domains
. - WAF_FEATURE: Name of the WAF feature.
Specify
challenge-page
. - WAF_SERVICE: Name of the
WAF service provider.
Specify
akamai
for Akamai.
HTTP method and URL:
POST https://recaptchaenterprise.googleapis.com/v1/projects/PROJECT_ID/keys
Request JSON body:
{ "displayName": "DISPLAY_NAME", 'wafSettings': " { "wafService": "WAF_SERVICE", "wafFeature": "WAF_FEATURE" } "webSettings": { "allowedDomains": "DOMAINS", "integrationType": "TYPE_OF_INTEGRATION" } }
To send your request, choose one of these options:
curl
Save the request body in a file named
request.json
, and execute the following command:curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://recaptchaenterprise.googleapis.com/v1/projects/PROJECT_ID/keys"PowerShell
Save the request body in a file named
request.json
, and execute the following command:$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://recaptchaenterprise.googleapis.com/v1/projects/PROJECT_ID/keys" | Select-Object -Expand ContentYou should receive a JSON response similar to the following:
{ "name": "projects/project-id/keys/7Ldqgs0UBBBBBIn4k7YxEB-LwEh5S9-Gv6QQIWB8m", "displayName": "DISPLAY_NAME, "webSettings": { "allowAllDomains": true, "allowedDomains": [ "localhost" ], "integrationType": "INVISIBLE", }, "wafSettings": { "wafService": "akamai", "wafFeature": "CHALLENGE_PAGE" } }
Record your challenge-page key for later use.
- To redirect users to the reCAPTCHA challenge page and receive a reCAPTCHA
token, create a firewall policy with the
redirect
action on protected pages.
express
To implement reCAPTCHA WAF express protection, create an express key.
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
-
gcloud
To create reCAPTCHA keys, use the gcloud recaptcha keys create command.
Before using any of the command data below, make the following replacements:
- DISPLAY_NAME: Name for the key. Typically a site name.
- WAF_SERVICE: Name of the
WAF service provider.
Specify
akamai
for Akamai.
Execute the gcloud recaptcha keys create command:
Linux, macOS, or Cloud Shell
gcloud recaptcha keys create \ --express \ --display-name=DISPLAY_NAME \ --waf-service=WAF_SERVICE
Windows (PowerShell)
gcloud recaptcha keys create ` --express ` --display-name=DISPLAY_NAME ` --waf-service=WAF_SERVICE
Windows (cmd.exe)
gcloud recaptcha keys create ^ --express ^ --display-name=DISPLAY_NAME ^ --waf-service=WAF_SERVICE
The response contains the newly created reCAPTCHA key.
REST
For API reference information about key types and integration types, see Key and Integration type.Before using any of the request data, make the following replacements:
- DISPLAY_NAME: Name for the key. Typically a site name.
- WAF_SERVICE: Name of the
WAF service provider.
Specify
akamai
for Akamai.
HTTP method and URL:
POST https://recaptchaenterprise.googleapis.com/v1/projects/PROJECT_ID/keys
Request JSON body:
{ "displayName": "DISPLAY_NAME", 'wafSettings': " { "wafService": "WAF_SERVICE", }
To send your request, choose one of these options:
curl
Save the request body in a file named
request.json
, and execute the following command:curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://recaptchaenterprise.googleapis.com/v1/projects/PROJECT_ID/keys"PowerShell
Save the request body in a file named
request.json
, and execute the following command:$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://recaptchaenterprise.googleapis.com/v1/projects/PROJECT_ID/keys" | Select-Object -Expand ContentYou should receive a JSON response similar to the following:
{ "name": "projects/project-id/keys/7Ldqgs0UBBBBBIn4k7YxEB-LwEh5S9-Gv6QQIWB8m", "displayName": "DISPLAY_NAME, }, "wafSettings": { "wafService": "akamai", } }
Record your express key for later use.
Integrate with Akamai
To integrate with Akamai, you must set up the EdgeWorker service and configure properties for the EdgeWorker service in Property Manager.
Set up the EdgeWorker service
From the Akamai Control Center, create an EdgeWorker ID and assign the Editor role to the EdgeWorker ID that you create.
To upload the reCAPTCHA package for Akamai, create an EdgeWorker version by using the reCAPTCHA package that you downloaded.
Configure properties in Property Manager
Select your Akamai property that you want to protect, and create a new version of the property.
Depending on the WAF features that you have implemented, create your global user-defined variables. The global variables you set in properties start with the
PMUSER_
prefix.The following table lists the variables that you can create and add in the property variables section:
Variable name Description Security setting RECAPTCHAJSINSTALL
Inject reCAPTCHA JavaScript. URLs of the pages where you want Akamai to call the reCAPTCHA API to assess the reCAPTCHA score and perform the action that is configured in the firewall policy. Specify the paths as a glob pattern and use `;` as the delimiter. Hidden RECAPTCHACHALLENGESITEKEY
reCAPTCHA challenge-page key. This variable is required if you want to redirect users to the reCAPTCHA challenge page. Hidden RECAPTCHAACTIONSITEKEY
reCAPTCHA action-token key. This variable is required if you're using reCAPTCHA action-token for protecting your pages. Hidden RECAPTCHASESSIONSITEKEY
reCAPTCHA session-token key. This variable is required if you are using reCAPTCHA session-token for protecting your pages. You need to use this variable if RECAPTCHAJSINSTALL
is set to configure reCAPTCHA JavaScript from Akamai.Hidden RECAPTCHAEXPRESSSITEKEY
reCAPTCHA express key. This variable is required if you're using reCAPTCHA express for protecting your pages. Hidden GCPPROJECTNUMBER
Your Google Cloud project ID.
Hidden GCPAPIKEY
The API key that you created for authentication.
Hidden For instructions, see Create a variable.
To enable the EdgeWorker service, add a rule using the Blank Rule Template with the following information:
Criteria
- Name:
reCAPTCHA EdgeWorkers rule
Criteria: Match All
If
Path
matches one of
/*
The
matches one of
criteria must match a superset of the URLs that need to be protected by reCAPTCHA. The path/*
includes all the paths. You can choose to add specific pages.Optional: If you want to add an additional condition to limit the file extensions, use the following:
If
File Extension
is one of
html
- Name:
Behavior
- Enable: On
- Identifier: Your_EdgeWorker_ID
- Enable mPulse reports: Off
To forward the call from the EdgeWorker service to the reCAPTCHA
createAssessment
API, add a new rule using the Blank Rule Template with the following information:Criteria
- Name:
reCAPTCHA assessment rule
- Criteria: Match All
If
Path
matches one of
/v1/projects/*/assessments
- Name:
Behavior
- Origin Type: Your Origin
- Origin Server Hostname:
public-preview-recaptchaenterprise.googleapis.com
- Forward Host Header: Custom Value
- Custom Forward Host Header:
public-preview-recaptchaenterprise.googleapis.com
- Cache Key Hostname: Origin Hostname
- Supports Gzip Compression: Yes
- Send True Client IP Header: Yes
- True Client IP Header Name: True-Client-IP
- Allow Clients To Set True Client IP Header: No
- Verification Settings: Use platform settings
- Use SNI TLS Extension: Yes
- HTTP Port: 80
- HTTPS Port: 443
Optional: To forward the call from the EdgeWorker service to the reCAPTCHA challenge page, add a new rule to redirect traffic to the challenge page with the following information:
Criteria
- Name:
reCAPTCHA challenge page rule
- Criteria: Match All
If
Path
matches one of
/recaptcha/challengepage
- Name:
Behavior
- Origin Type: Your Origin
- Origin Server Hostname:
www.google.com
- Forward Host Header: Custom Value
- Custom Forward Host Header:
www.google.com
- Cache Key Hostname: Origin Hostname
- Supports Gzip Compression: Yes
- Send True Client IP Header: Yes
- True Client IP Header Name: True-Client-IP
- Allow Clients To Set True Client IP Header: No
- Verification Settings: Use platform settings
- Use SNI TLS Extension: Yes
- HTTP Port: 80
- HTTPS Port: 443
Activate the changes:
Create reCAPTCHA firewall policies
You must create a firewall policy that specifies rules for every page that you want to protect on your website. You can create firewall policies with one or more features of reCAPTCHA for WAF.
In your reCAPTCHA firewall policy, add rules in the order of the intended
priority. The first rule has the highest order. You can also reorder the
priority by using ReorderFirewallPoliciesRequest
.
For an incoming request, when a policy condition matches for the specified path,
your WAF service provider implements the defined action and the subsequent rules
are not evaluated.
- Based on the features that you chose, do the following:
- Identify the path you want to protect.
- Identify the conditions to allow, redirect, or block access.
- Prioritize the rules.
- Understand the firewall policy components and their attributes.
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
- To override gcloud CLI to access the public preview version of
the reCAPTCHA API, run the following command:
gcloud config set api_endpoint_overrides/recaptchaenterprise https://public-preview-recaptchaenterprise.googleapis.com/
- To create reCAPTCHA firewall policies, use the gcloud
recaptcha firewall-policies create command:
In your reCAPTCHA firewall policy, add rules in order of the intended priority. You must add a rule with the highest priority first. For an incoming request, when a policy condition matches for the specified path, your WAF service provider implements the defined action and the subsequent rules are not evaluated. The default rule is to allow access.
gcloud recaptcha firewall-policies create \ --actions=ACTION \ --condition=CONDITION \ --description=DESCRIPTION \ --path=PATH
Provide the following values:
- ACTION: The actions that your WAF service provider must take
for the incoming request. It can contain at most one terminal action, which
is an action that forces a response.
Specify one of the following actions:
allow
: allows access to the requested page. This is a terminal action.block
: denies access to the requested page. This is a terminal action.redirect
: redirects the incoming user request to the reCAPTCHA challenge page. This is a terminal action.substitute
: serves a different page other than the requested page to a fraudulent user request. This is a terminal action.set_header
: sets a custom header and allows the incoming user request to continue to the backend. The backend then can trigger a customized protection. This is a non-terminal action.
- CONDITION: a CEL (Common Expression Language) conditional expression that specifies if the reCAPTCHA firewall policy applies to an incoming user request. If this condition evaluates to true and the requested path matches the path pattern, the associated actions are executed by the WAF service provider. The condition string is checked for CEL syntax correctness on creation. For more information about the language definition, CEL language definition.
- DESCRIPTION: a description of what the reCAPTCHA firewall policy aims to achieve. The description must be at most 256 UTF-8 characters.
- PATH: the path for which the reCAPTCHA firewall policy applies. It must be specified as a glob pattern. For more information on glob, see the manual page.
After the successful execution of the command, output similar to the following is displayed:
Created [100].
The following example creates a reCAPTCHA firewall policy to block traffic targeting for
/example/page.html
when the score is less than 0.1.gcloud recaptcha firewall-policies create \ --description="example policy" \ --path="/example/page.html" \ --condition="recaptcha.score < 0.1" \ --actions="block"
- ACTION: The actions that your WAF service provider must take
for the incoming request. It can contain at most one terminal action, which
is an action that forces a response.
Specify one of the following actions: